CVE-2025-24891
Published: 31 January 2025
Summary
CVE-2025-24891 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-24891 is a path traversal vulnerability (CWE-22, CWE-276) affecting Dumb Drop, a file upload application. Published on 2025-01-31, it enables users with permission to upload files to the service to overwrite arbitrary system files through improper path handling. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and potential for high impacts across confidentiality, integrity, and availability.
The attack scenario targets users able to interact with the upload functionality, which may include wholly unprivileged external attackers if the service runs without authentication enabled, or those possessing a PIN otherwise. Exploitation occurs over the network and requires user interaction, allowing attackers to leverage the default root privileges of the container to overwrite any system files without restriction. This can enable injection of malicious payloads into files executed on schedule or triggered by service actions, potentially granting full root access.
Mitigation details are provided in the Dumb Drop GitHub security advisory (GHSA-24f2-fv38-3274) and a related commit (cb586316648ccbfb21d27b84e90d72ccead9819d), which address the path traversal issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3976
Vulnerability details
Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit…
more
to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing file upload app allows arbitrary system file overwrites from network, directly enabling public app exploitation (T1190), root privilege escalation in container (T1068), and ingress of malicious payloads to arbitrary locations for later execution (T1105).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal exploitation by validating and sanitizing file paths in upload requests to block sequences like '../'.
Mitigates impact of successful path traversal by enforcing least privilege, ensuring the container does not run as root and cannot overwrite arbitrary system files.
Requires identification and authentication for non-organizational users accessing the upload service, preventing wholly unprivileged exploitation when authentication is disabled by default.